Feedback statement on the consultation paper on the management of operational risks in market-related activities (CP 35rev)

Similar documents
Final Report. Guidelines. on internal governance under Directive 2013/36/EU EBA/GL/2017/ September 2017

EBA/CP/2013/12 21 May Consultation Paper

Consultation paper. Guidelines on remuneration policies and practices (MiFID) September 2012 ESMA/2012/570

Consultation Paper. Draft Guidelines

DISCUSSION PAPER ON ACCESS TO SERVICE FACILITIES AND RAIL RELATED SERVICES

Kyte Broking Ltd. Conflicts of Interest Policy Summary Statement. Page 1 of 9

Final report. Guidelines on remuneration policies and practices (MiFID) 11 June 2013 ESMA/2013/606

EBA/RTS/2017/ December Final Report. Draft regulatory technical standards. on central contact points under Directive (EU) 2015/2366 (PSD2)

BANQUE CARNEGIE LUXEMBOURG REMUNERATION POLICY

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Deutsche Börse Group Response

EBA/CP/2015/ December Consultation Paper. Guidelines on ICAAP and ILAAP information collected for SREP purposes

Basel Committee on Banking Supervision. Consultative Document. External audits of banks. Issued for comment by 21 June 2013

British Bankers Association response to EBA consultation on Recovery Planning Templates

REVISED CORPORATE GOVERNANCE PRINCIPLES FOR BANKS (CONSULTATION PAPER) ISSUED BY THE BASEL COMMITTEE ON BANKING SUPERVISION

DISCUSSION PAPER ON ACCESS TO SERVICE FACILITIES AND RAIL RELATED SERVICES. Article 1. Subject matter

EBA/CP/2016/ December Consultation Paper. Draft Guidelines on supervision of significant branches

DECISION 10/2014/GB OF THE GOVERNING BOARD OF THE EUROPEAN POLICE COLLEGE ADOPTING THE EUROPEAN POLICE COLLEGE S INTERNAL CONTROL STANDARDS AND

Consultation Paper. Draft Regulatory Technical Standards

CP ON GL ON MEASURES TO REDUCE OR REMOVE IMPEDIMENTS TO RESOLVABILITY EBA/CP/2014/15. 9 July Consultation Paper

FEDERATION OF EUROPEAN SECURITIES EXCHANGES (FESE)

GoldSRD Audit 101 Table of Contents & Resource Listing

EBA FINAL draft Regulatory Technical Standards

Operational risk systems and controls

GUIDELINES ON SOUND REMUNERATION POLICIES EBA/GL/2015/22 27/06/2016. Guidelines

INTERNATIONAL STANDARD ON AUDITING 260 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE CONTENTS

Governance manual for the banking sector SEPTEMBER 2017

Final report. Joint ESMA and EBA Guidelines

EBA Guidelines. On the Remuneration Benchmarking Exercise EBA/GL/2012/4

on remuneration policies and practices related to the sale and provision of retail banking products and services

Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

Guidance on the Application. of ISO / IEC Accreditation International Association for Certifying Bodies

EBF response to EBA Consultation Paper on Draft Guidelines on internal governance

SURYODAY SMALL FINANCE BANK LIMITED COMPLIANCE POLICY

Subject: NVB Reaction to EBA CP2013/02 on extensions and changes to IRB, IMA and AMA

- Convenience Translation -

International Standard on Auditing (Ireland) 500 Audit Evidence

concerns regarding the definition and suggest revised wording.

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

September Remuneration Policy Summary

Asset management Management systems Guidelines for the application of ISO 55001

General Principles for Engagements Performed in Accordance With Statements on Standards for Accounting and Review Services

CENTRAL BANK OF CYPRUS

Understanding Internal Controls Office of Internal Audit

Federal Financial Supervisory Authority (BaFin)

COMPETENCE & COMMITMENT STATEMENTS

Corporate Governance Statement in Accordance with Section 289a of the HGB for the Fiscal Year from January 1 to December 31, 2015

IoD Code of Practice for Directors

Achieve. Performance objectives

Work plan for enhancing the management and administration of UNCTAD

Enactment of the Corporate Governance Policy

REMUNERATION POLICY EDMOND DE ROTHSCHILD ASSET MANAGEMENT (LUXEMBOURG)

German Corporate Governance Code

KEY. riskupdate PREDICTIONS FOR Risk Reward. Jan 2011

Basel Committee on Banking Supervision. Consultative Document. Stress testing principles. Issued for comment by 23 March 2018

Independent Regulators Group Rail. IRG Rail

BERMUDA MONETARY AUTHORITY

Report to the European Commission on the Application of Group Supervision under the Solvency II Directive

Scope of this SA Effective Date Objective Definitions Sufficient Appropriate Audit Evidence... 6

Evaluating Internal Controls

INTERNATIONAL STANDARD ON AUDITING (IRELAND) 210 AGREEING THE TERMS OF AUDIT ENGAGEMENTS

INTERNATIONAL STANDARD ON AUDITING (NEW ZEALAND) 500

Developing a New Approach to Compiling the Balance of Payments in The Netherlands

PRINCE Update. Changes to the manual. AXELOS.com. April 2017 PUBLIC

Mr Jose Maria Roldän Chairman Committee of European Banking Supervisors Floor 18, Tower Old Broad Stree LONDON EC2N1HQ

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

China Southern Airlines Company Limited Terms of Reference of Audit and Risk Management Committee

Nasdaq Sweden Remuneration Policy. May, 2016

BOM/BSD 2/November 1994 BANK OF MAURITIUS. Guideline on Maintenance of Accounting and other Records and Internal Control Systems

Consultation Paper Draft Guidelines on Anti-Procyclicality Margin Measures for Central Counterparties

(Adopted by the Board of Directors on 13 May 2009 and amended on 24 September 2009, 13 September 2012 and 27 November 2013)

Auditing Standards and Practices Council

AMF Recommendation Pro forma financial information

RULES OF PROCEDURE REMUNERATION AND HR COMMITTEE SUPERVISORY BOARD RABOBANK 1

UNBUNDLING OF DISTRIBUTION SYSTEM OPERATORS

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Job Evaluation Guide for TMG. October 2016

Slavery and Human Trafficking Statement. Kawasaki Precision Machinery (UK) Limited for the year ending 31 December 2016

INTERNATIONAL STANDARD

REPORT 2016/033 INTERNAL AUDIT DIVISION

Urban Development Institute of Australia Western Australian Division Incorporated

Supervisory Board Charter of the Audit Committee

AAT Level 4 Higher Apprenticeships

February King III Amendment

THE NEW AND REVISED INTERPRETATIONS CONTAINED IN THIS DOCUMENT ARE EFFECTIVE ON AUGUST 31, 2017 UNLESS OTHERWISE NOTED.

FLORIDA DEPARTMENT OF TRANSPORTATION

Consultation Paper CP26/17 Model risk management principles for stress testing

ECB-PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK. of 4 October 2017

Humber Information Sharing Charter

Corporate Governance Statement John Bridgeman Limited

Governance and Risk Mitigation A Supervisor s Perspective

Bowmer. & Kirkland. Kirkland. & Accommodation. Health & Safety Policy.

Independent Auditor s report

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

Business Administration. Level 2 QCF units Skills CFA B&A units L2 Page 1

FINAL REPORT ON THE DRAFT RTS AND ITS ON THE EBA REGISTER UNDER THE PSD2 EBA/RTS/2017/10 EBA/ITS/2017/ December 2017.

STATEMENT OF AUDITING STANDARDS 500 AUDIT EVIDENCE

Final Report. Guidelines on product oversight and governance arrangements for retail banking products EBA/GL/2015/ July 2015

Guidelines on the management body of market operators and data reporting services providers

Transcription:

12 October 2010 Feedback statement on the consultation paper on the management of operational risks in market-related activities (CP 35rev) 1. On 23 June CEBS submitted the revised draft Guidelines on the management of operational risk in market-related activities for a second public consultation - the consultation period ended on 23 July 2010. Eight responses have been received; two respondents did not wish their comments to be published 1. 2. Most respondents also commented within the first public consultation and acknowledged that CEBS has considered most of the comments. Respondents mostly focussed their comments on text which has been changed and paragraphs where they still felt that the wording was not clear enough. The consultation paper has been revised on the basis of the comments received and was discussed again within the CEBS s expert group. 3. In the Annex, a feedback table is provided which gives a detailed description of the comments received and CEBS s responses to them. However, in some cases respondents only suggested minor drafting changes which have been partly accommodated without being explained in detail. In addition CEBS has made some wording changes to improve the consistency of the document. All paragraphs affected by such changes are listed in the first section (Introduction) of the feedback table under other changes. 1 The public responses to CP35 are published on the CEBS website under the following link: http://www.c-ebs.org/publications/consultation-papers/all-consultations/cp31-cp40/cp35- revised/responses-to-cp35-revised.aspx

Annex Feedback table on CP35: analysis of the public responses and suggested amendments The first column of the feedback table makes reference to the terminology and paragraph numbering used in the original CP35rev. The last column refers to the terminology and paragraph numbering in the final guidelines; where the paragraphs have been re-numbered or newly numbered, this has been made clear. CP35rev Summary of comments received CEBS s response Amendments to the proposals set out in the Guidelines Guidelines on operational risk management in market-related activities 1. Introduction General Comment Respondents argued that for the implementation of the guidelines a substantial amount of work is required and that therefore a longer timescale for their implementation should be granted to institutions. The implementation date is a mandatory date for the implementation of the guidelines in national regulatory frameworks by the supervisory authorities and is not directly applicable to the institutions: this is already stated in the guidelines. After their implementation, the guidelines will be applied by the supervisory authorities - this usually includes a sufficient timeframe for implementation. The 2

implementation date will be changed according to the publication of the final guidelines. General Comment It was recommended to elaborate more on the creation of a new culture in institutions and corporate governance in general. These should also aim to ensure that institutions act in the best interest of clients. Institutions should strive to reduce operational risks and prevent operational risks being transferred to the clients. CEBS s Guidelines on the Supervisory Review Process and the High Level Principles on Risk Management include principles on internal governance and risk culture, while CP 35 is focussing in particular on operational risk management. CEBS is updating the guidelines on governance and is going to publish a consultation paper in the fourth quarter of 2010. Given the actual regulations in place, the management body has to act in the best interest of the institution. However, institutions have to take duly into account the customer s interest, obeying laws and contracts. An extended duty of care is being discussed at European level (see also: the European Commission s Green Paper on corporate governance and remuneration). General Comment Respondents commented again that the consultation paper still gives little focus to important areas on day-to-day operational risk management and focuses unduly on the comparatively rare area of rogue trader. 3 The Guidelines are mainly dealing with operational risk management in market-related activities. In some areas they deliberately focus on rogue trading events as they are important operational risk drivers in that area. However, CEBS has already published Guidelines on internal governance and Paras. 2 and 4

risk management which are also applicable to the management of operational risk in general. General Comment Respondents commented that operational risk also encompasses losses created by unexpected market risk exposures and that in the assessment of operational risks firms need to take into account the potential for market and credit losses and not just the immediate P&L costs. The Guidelines on the Scope of Operational risk, contained in the Compendium (published 8 September 2009) clearly define the scope of operational risk. According to the definition market risk losses caused by operational risk events are included in the scope of operational risk. The cause of major credit risk losses need to be analysed. If they are caused by operational risks, this has to be highlighted in the loss data. However, those credit losses are not included in the scope of operational risk losses for the purpose of calculating AMA regulatory capital General Comment (and Paras 43, 44, 48) Respondents commented that a decision to introduce risk management and control measures also needs to take into account the risk exposures and the costs of such measures and that for any change made or new activities a review of operational risks should be undertaken. From a supervisory perspective it is crucial that institutions define a risk strategy and a risk appetite/tolerance level and introduce measures to ensure that the institution complies with them. This is already contained in Principle 4 of these Guidelines, which need to be read together with the Guidelines on the Supervisory Review Process and the High Level Principles on Risk Management (see also paragraph 4). The latter also contains guidelines on new product approval policies. 4

General Comment (and Paras 2, 8, 20, 21, 53) It was suggested that the guidelines should emphasise that the significance of many operational risks in market-related activities is bound up with unexpected market risk exposures or actual loss and that market risk losses need to be taken into account in the assessment of operational risk. This should also be recognised in the setting of objectives. The issue is clarified in the Guidelines on the Scope of operational risk. However in paragraph 8 the scope of operational risk losses has been clarified. Para. 8, footnote added 10 Respondents suggested that proportionality should take into account the scope for the risk to create actual market losses or high levels of unplanned market risk exposure. The principle of proportionality is a concept which applies to several guidelines. However as the complexity of an institution and its activities is a driver of that principle, the risk profile of an institution is recognised within this principle. General comment It was suggested using control and support functions throughout the document. As the definition provided also contains functions which are outside the definition of control functions used in other CEBS guidelines, CEBS has accommodated the comment. However, in most paragraphs the actual tasks would usually be performed by a control function (i.e. internal control, compliance or audit). Paragraphs Other changes 9, 31, 35, 50 Some minor drafting changes were made to accommodate comments received or to improve the consistent use of terms throughout the document. Paragraphs 2. Governance mechanisms 5

13 It was suggested that the terms back office and middle office be replaced with an expanded list of functions and to reformulate the last part of the paragraph as follows: Duties should be allocated appropriately to support functions and individuals, also taking into account appropriate segregation of duties. The comments have been accommodated. Para. 13. Others suggested stressing that incompatibilities are less an issue, but that conflicts of interest should be avoided. 13 It was commented that physical segregation might enhance the effectiveness of the segregation of duties. 14-1 Respondents asked for clarification of what is meant by integration of key procedures. 6 To safeguard the integrity of data and documentation physical segregation might be helpful. However, there is also a need for co-ordination and cooperation. Appropriate segregation could be implemented via access rules. Institutions should consider whether appropriate physical segregation of the functions would enhance the implementation of rules regarding the segregation of duties (e.g. front office staff should not have physical access to back office IT systems, printers and documentation in the absence of back office staff). The paragraph has been rephrased. The integration or co-operation of control and support functions, in particular including finance and risk control, may increase the level of Para. 13 Para. 14-1

surveillance and control of the trading activities and helps to create a holistic view of such activities. 15 Code of conduct should be replaced with having appropriate policies setting standards as firms may not have implemented those in one single code of conduct. The comment has been accommodated, however the term code of conduct was kept in brackets as it is also referred to in other guidelines. Para. 15 15 Respondents requested that it should be clarified that the second sentence includes possible examples which could be implemented. It was suggested to add some possible communication channels for the notification of material infringements of the desired risk culture and that whistle-blowing procedures, if implemented (Principle 16), are being used for this purpose. 16 Respondents suggested that reference to not using mobile devices be included in the requirement for absence. 17 Respondents suggested the third sentence ( To this end, a good knowledge of products and techniques used for products evaluation and risk assessment is highly recommended. ) be deleted as this requirement is too far reaching. 12 and 17 Respondents commented that training and competence is very important. It should be 7 CEBS has clarified the text and its expectation that the examples mentioned should be implemented while other measures might also be taken to achieve high professional standards and a sound risk culture. The reference to communication channels has been deleted as this is sufficiently covered within Principle 16. The suggestion has been accommodated. CEBS believes that these requirements are already included in the first two sentences of this paragraph. However, the sentence has been deleted as it may be too specific. It is important to consider the operational risk which stems from Para. 15 Para. 16 Para. 17

regarded by firms as essential before a person is given authority by the firm to deal in particular products or use particular Front Office systems. Training and competence should be within the explicit scope that the management body should concern itself with. It was suggested extending the knowledge required for senior management to include an understanding of the risks associated with making staff appointments as envisaged in Paragraph 16. inappropriately trained staff and appointments of staff in front and back offices. CEBS considers appropriate recruiting and training routines to be in the wider scope of internal governance. Guidelines on the appropriate knowledge of staff in general are being considered in the review of the CEBS internal governance guidelines. 17 Respondents suggested clarifying the paragraph, as it might be understood to require all members of senior management to have a good knowledge of all historical loss events 19 Respondents invited CEBS to specify the exact drivers that should be used to control remuneration in order to avoid commonalities of interest and scope. 8 The language has been clarified. Senior management need to acquire, maintain and deepen their knowledge and skills to fulfil their responsibilities. This includes having a good understanding of potential and actual operational risks. Within marketrelated activities this includes, besides others, operational risk exposures in the front office, in the settlement processes and in new products and processes. The exact drivers or indicators can only be identified by the institution depending on its internal control framework. The Directive 2006/48/EC Annex V, Par. 23, No. d (CRD III) requires that staff members engaged in control functions are independent from the business units Para. 17 Para. 19

21 It was suggested to refer to risk indicators and alert levels rather than mentioning operational risk limits and to keep a reference that legal constraints concerning the protection of personal data need to be respected. they oversee, have appropriate authority, and are compensated in accordance with the achievement of the objectives linked to their functions, independent of the performance of the business areas they control. CEBS will develop specific guidelines dealing with the CRD requirements on remuneration. The text has been aligned to the CRD III text. Alert levels have been added as a further example to define an operational risk limit. The sentence However, this should not violate regulations on the protection of personal data and other relevant legislation. was deleted from the initial CP 35. The establishment of a harmonised regulatory framework is one of the objectives of the guidelines. The guidelines need to be implemented by the supervisory authorities in a comply or explain approach, taking into account also national specifics. This ensures that the applicable regulatory requirements are met. Para. 21. Principle 5 Respondents recommended that the scope of fraudulent actions be defined more clearly as the legal definition deviates from the definition used in operational risk management. The definition has been aligned with the definition provided in Dir 2006/48/EC. It has also stated that suspicious behaviour should be within the scope of internal controls. Principle 5, footnote added 9

22 Respondents suggested focusing in Paragraph 22 only on fraud management in market-related activities, as some overlap exists with other national regulations. The guideline and Principle 5 focus on operational risk management within market-related activities. The language has been clarified. However, anti-fraud management should not be limited to the market-related activities. Para. 22 23 Respondents commented that a physical segregation of IT systems used in front office and back office would be too far reaching. Fraud prevention could be attained by means of program-specific routines. 23 It was suggested to replace regular fraud testing by regular fraud incident review and analysis Paragraph 23 contains a list of examples, which may be helpful in implementing measures aimed at fraud prevention and detection. The example on IT systems has been clarified. Fraud prevention could be achieved by appropriate definition of access rights, infrastructure providing appropriate protection of the data used for posttrading processes from undue interference (for instance via physical or logical separation of the infrastructure used for trading and post-trading processes). Para. 23 The comment has been accommodated. Para. 23 23 It was suggested to include as an example of fraud detection and prevention the setting of triggers for reviewing operational risks. The idea is already contained in the sixth bullet point, the language has been clarified. Para. 23 23-7 Respondents suggested deleting this requirement as too detailed disclosure of control procedures might lead to a situation where they can be 10 The comment has been accommodated Bullet point deleted

circumvented. 23-25 Respondents commented again that these paragraphs should be deleted and suggested that some principles based drafting replace them. 24 It was suggested that escalation processes should be independent from the person supervising them to avoid complicity. 24, 25 Respondents suggested clarifying that the information should include but is not limited to actual fraud or suspicious behaviour. Principle 6 Respondents commented that this principle applies also to market risk and not only operational risk management. 3. Internal controls CEBS has responded to this comment within the first consultation and has not changed its position regarding this issue. In addition to the regular reporting lines it is recommended to implement whistle-blowing procedures. The comment has been accommodated Other comments have also been made on the scope of the guidelines. CEBS has clarified the issue in the Introduction. Paras. 24 and 25 Paras. 2 and 4 33 Respondents commented that trading outside the business premises must be subject to operational risk review. The comment has been accommodated. Para. 33 Principle 9 It was suggested that market risk management focuses on P&L recording, valuations and contingent cash flows. By focusing purely on actual cash flows this principle can be seen as undermining necessary controls in the management of market risk. The comment has been accommodated. Trading book positions, profits and losses, calculations and contingent cash flows associated with a transaction should be clearly recorded in the institution s IT systems, with a documented audit trail. Principle 9 11

Principle 9 Respondents asked for clarification of the Principle and for the particular risks to be outlined as well as clarification of the phrase systematic ex-post controls. 36, 37 Respondents understood the paragraph still to implicitly contain a trader oriented button push audit trail which is very burdensome to implement. All key trade details need to be captured in the appropriate IT system within good time. Manual documentation should be an exception and captured later on in the IT system. There should be controls performed by the control functions. Paragraph 37 clearly stated that a push button audit trail at the trader level may not be required: the language has been further clarified. Principle 9 and Para. 35 Paras. 36 and 37. 38 It was suggested that the reference to pricing of trades be deleted as it is redundant to paragraph 53. The comment has been accommodated Para. 38 39 Respondents asked for clarification of what should be included in the monitoring of the relationship between traders and clients. The paragraph has clarified, some examples have been added. The relationship and connection between professional clients or eligible counterparties and front office staff should be considered. Institutions should monitor these relationships (e.g. ex-gratia payments, any other significant payments made or received outside the scope of the contractual arrangement). Para. 39 46 It was suggested replacing position and cash Institutions should reconcile trading Para. 46 12

flow reconciliation with cash position reconciliation. 47 It was suggested the text be changed as follows: Institutions should make sure that internal trades are subject to the proper degree of monitoring; in particular, inter-company trades should be subject to similar conditions and controls (or controls creating the same level of confidence) as those in place for trades with 13 positions as well as cash balances. The paragraph has been further clarified to explain which controls should be performed. CEBS considers it to be necessary to reconcile cash to the general ledger daily and that trade amendments or late bookings are reflected in the reconciliation process. The daily reconciliation of cash balances across systems (front-office, settlement and ledger) is a strong control tool especially for derivatives as it permits the detection of inconsistencies in exercises or expiries: exercising an option in one system and not in another can have the same effect as booking fictitious transactions. Therefore institutions should set up daily reconciliations of positions and cash flows across their own systems (frontoffice, risk, settlement and general ledgers) and with external parties. These reconciliations should include all events attached to the transactions including amendments, cancellations, exercises, resets and expiries. The paragraph has been clarified. Internal trades should be subject to conditions and controls, creating the same level of confidence as those in place for trades with external counterparts. In particular, when not subject to margining or physical. Para. 47

external counterparts. settlements, both sides of the trades should be reconciled daily on their key attributes. 48-5 It was suggested to replace unsettled by failed The comment has been accommodated Para. 48-5 49 It was commented that margin calls are not reconciled to traders. The reference to traders has been deleted. However, in cases of anomalies, institutions need to be able to follow a transaction back to the trader. Para. 49 52 It was commented that the paragraph is unclear and that independent validation is already included in Principle 13. The paragraph should be deleted. The paragraph has been deleted. Para. 52 and document renumbered 53 Respondents asked for clarification how this relates to Principle 13 and how the P&L contribution should be understood in this context. 14 Institutions should understand which aspects lead to the P&L generated in the trading area. The P&L should be plausible in the context of the trading mandate and market developments. Major implausibilities discovered within the P&L should be further analysed to see if they are caused by operational risk events. In particular monitoring of anomalies such as cancellations, amendments and late or off-market trades should be integrated into the daily and monthly P/L processes. Para. 52

55 It was suggested that the provision would also apply when the reason for using a technical account is not adequately clear. Substantial trade amendments should be formally reported to the market and credit risk control functions. CEBS considers this is already within the scope of paragraph 54. 56 Change based on CEBS s review After reviewing the guidelines CEBS felt that the formulation was very vague and didn t cater for the fact that daily (i/o monthly) controls on internal accounts may have prevented severe rogue trading events observed in the past where such accounts were used to hide positions at month-end. Reconciling internal balances/trades only on a monthly basis can lead to significant losses as this allows unbalanced internal positions to go undetected for several weeks. Therefore the former CP35 formulation was added to stress the importance of an appropriate control frequency: Introducing only monthly controls on trading books (e.g. funding cost allocation, internal and intercompany trade reconciliations, suspense accounts control and reporting) may lead to an undue delay in the detection of anomalies. However, this can be implemented in a proportionate way. Para. 56 57 Respondents suggested that the frequency of monitoring should be based on a case by case risk 15 The paragraph has been to accommodate the comment so that the Para. 56

analysis. 58 It was suggested that in the event of exceptions and exemptions there should also be an escalation process so management can take appropriate action. risk profile should also be considered in finding the right frequency for monitoring activities. CEBS would assume that the analysis by the control function would involve sufficiently senior staff members. Escalation processes are sufficiently covered in Principle 16. 58 Limits and controls on nominal values would be too restrictive, market risks are often limited by e.g. VaR limits. It is not possible to limit operational risks by nominal limits without limiting the size of the business. 62 Respondents suggested that the regularity of testing and monitoring of IT systems should be determined on a case by case basis based on risk analysis. CEBS has accommodated the comment. Controls could also include alert procedures and other measures so that further analysis by the appropriate control function is triggered. Institutions need to determine an appropriate frequency for this activity. When implementing these guidelines the principle of proportionality applies and therefore the frequency may also depend on the complexity of the systems and the activities supported, which are major drivers for the risks associated with those activities. Para. 57 65 and 67 Changed based on CEBS s review The requirements regarding the report have been restructured without changing the content. Paras. 64 and 66 4. Internal reporting system Principle 17 Respondents asked CEBS to suggest an As stated in the explanatory notes, information needs differ among the 16 Paras. 66 and

appropriate level of granularity. recipients. The level of detail also depends on the complexity and size of the business. The reporting framework has to be defined by the institution, including an appropriate level of granularity. 67 CEBS has clarified that information provided needs to be sufficient to serve the intended purpose. A one size fit all approach regarding granularity is not feasible. The effectiveness of the reporting framework should be within the scope of internal audit, including the level of granularity. 17

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback